Computer security alerts produce high volume data that is difficult to evaluate. More particularly, the data volume overwhelms even advanced data evaluation techniques, such as a Bayesian network. A Bayesian network is a probabilistic graphical model that represents a set of random variables and their conditional dependencies via a directed acyclic graph (DAG). Each node of the DAG has an associated probability function. Edges between nodes represent conditional dependencies. A Bayesian network requires a large number of subject matter expert (SME) probability judgments to capture a full set of beliefs. The number of required probabilities depends on the number of edges in the network, but the joint probability distribution is a suitable heuristic. The size of the network's joint probability distribution can be calculated as the number of outcomes for each node to the power of the number of nodes in the belief network. For example, consider a hypothetical network used to determine whether a security event is malicious. If the network has 1 node for maliciousness (true or false), and 20 nodes for input facts (also true or false) that we believe are useful to predict maliciousness, then there are 2(1+20)=2,097,152 rows in the joint probability distribution. This is a prohibitively large amount of data entry needed to build a Bayesian model using existing techniques.
Accordingly, there is a need for improved techniques for evaluating potential risks associated with high volume computer security data and more robust feature sets needed to accurately predict maliciousness of potential security events.